The Federal Deposit Insurance Corporation has failed to establish effective controls to secure and maintain the data access infrastructure overseeing the agency’s information systems, according to a new report.
The FDIC Office of Inspector General report published Wednesday said the failure, centered on its Active Directory service, leaves the agency’s information systems susceptible to intrusions from malicious actors and cybercriminals seeking sensitive data.
The agency tasked with supervising financial institutions and protecting bank customers nationwide has meanwhile struggled for years to improve its information security controls, with previous reports also citing a similar lack of authorization controls.
The Active Directory service, developed by Microsoft, oversees centralized system access on a network, allowing administrators to control user privileges to certain components while enforcing security policies. Within FDIC, the chief information officer organization is responsible for AD operations ranging from adding and removing user access to applying configuration changes.
The report said FDIC’s AD infrastructure is an “attractive target” for malicious actors since attackers can potentially “obtain, manipulate, or delete data across the network, causing serious damage to the FDIC and its mission and reputation.”
The FDIC’s authorization issues run the gamut, according to the OIG report, from accounts configured with excessive privileges, to challenges around password management and the deletion of inactive accounts. The report found multiple privileged users reused passwords, shared passwords across multiple accounts and failed to change their login information for over a year.
The FDIC isn’t the only agency facing password management challenges, however. A recent report from the cybersecurity firm SpyCloud found that many federal employees continued to practice poor cyber hygiene last year despite a major push from the White House and the Cybersecurity and Infrastructure Security Agency to bolster federal cybersecurity.
The latest audit on the FDIC found that the agency lacked effective security controls in at least seven of the 12 areas assessed for the report. The FDIC had not enabled performance monitoring on multiple domain controllers associated with its AD infrastructure, while several servers were running unsupported versions of the Windows or Windows Server Operating system.
Further, the report found that the AD operations manual featured inaccurate information surrounding the agency’s implementation of the AD framework.
The OIG report featured 15 recommendations for the FDIC to improve its AD security controls across the seven areas that lacked effective measures, including password management, account configuration, access management and audit logging.
Among those recommendations included instructions for the agency to provide password training, implement controls to track password usage and better regulate misconfigured and inactive accounts.
In its response to the OIG report, the FDIC agreed with all 15 recommendations while noting that the audit found effective controls in place to secure and manage five of the 12 security controls areas assessed. The response said the office of the chief information officer for the FDIC will oversee the implementation of a majority of the recommendations.